Tag Archives: Privacy

Call me at 310-570-2399 if you collect any personal data from any EU resident to see how to get prepared.

Enforcement Deadline: May 25, 2018

Regulatory Bodies: EU Parliament,

A regulation is binding legislation across EU

Some conflicts remain between Commission language and Parliamentary language – and is still being hammered out

Actual text is here: https://www.eugdpr.org/more-resources-1.html

What is Personal Data:

Any info of a natural personal that can identify that person including name, photo, email, bank details, posts, medical info, IP address

Potential for abuse: “Think of targeted advertising: the ad network does not need to know who the person that visited a website is, it is enough to know that this person is the same person who earlier visited sites A and B and sometimes clicks on ads for product C. This should be reflected in the definition of data subject by including the aspect of “singling out”. (https://edri.org/files/GDPR-key-issues-explained.pdf)

Entities covered: “it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”

Consent: Must be clear, distinguishable, intelligible and easily accessible with the purpose for clearly defined

Consent may be withdrawn

Consent is required for collection to be of a lawful purpose

Notify Requirement: 72 hours of first having become aware or “likely to result in risk to rights and freedoms of individuals”

Notice to customers, controllers

Right to Access: User must be able to obtain confirmation whether or not personal data is being processed, where and for what purpose.

Right to get copy in electronic format for free

Right to be Forgotten (Article 17):

Right to have all data erased, ceased dissemination and have third parties halt processing

Reasonable steps (Article 17(2)

The right is not absolute however and permits exception for purposes of freedom of expression. For ex, “These exceptions allow Member States to restrict data protection rights in order to reconcile the fundamental rights to data protection and freedom of expression.”) Id.

Portability:

Right to obtain all data in a “commonly used and machine readable format” or transferred to another

Note: non-final language

Commission: if subject has provided personal data and processing is based on consent or on contract, subject has right to transmit

Parliament:

If subject provided personal data and personal data is processed electronically, subject has right to obtain a copy

Council: No right if disclosing personal data would infringe IP rights

Privacy by Design (Article 23):

“The controller shall..implement appropriate technical and organizational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects”

Out of the box products should be designed with privacy in mind first.

Encryption does not appear mandatory

Only process data that is absolutely necessary for completion of duties AND limit access of personal info to others during processing

Lawful purposes include: “consent, the necessity for fulfillment of contract, legal obligation, necessary for vital interests of the data subject, necessity for the performance of a task in the public interest / official authority”

What is necessary?

“ For example, it is generally accepted that limited processing of personal data can be carried out for reasons of IT security, to ensure availability of services. On the other hand, incompatible purposes have no relation to the initial purpose. An example is telecommunications data retention: the initial purpose of collection (billing) and the further processing (storage for law enforcement use) are completely unrelated. In some cases, such incompatible use might be justified. The Commission proposal allows incompatible use if the new incompatible use has a basis in one of the grounds for lawfulness, except for legitimate interest. Therefore, the data retention example would be covered under processing that is necessary for compliance with a legal obligation to which the controller (here: telecommunications operator) is subject (Article 6(1)(c)). (https://edri.org/files/GDPR-key-issues-explained.pdf)

Data Protection Officers (Article 37):

Only required appointment if public authority, systematic monitoring of data subjections on large scale or special categories of data or data relating to criminal convictions/offenses

Otherwise: internal record keeping requirement

Model Contract Clauses proposed

Note: Non final language remains

Parliament text calls for DPO if:

Special category of health, religious or political

processing over 5000 data subject in 12 months

Commission requires DPO if

Over 250 employees

Does not mandate DPO unless required by EU or memberstate law

Call me at 310-570-2399 if you collect any personal data from any EU resident to see how to get prepared.